Date: Mon, 11 Jul 2022 13:42:37 GMT From: Ryan Steinmetz <zi@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 7b6aed9ac322 - main - security/stunnel: Drop privs by default, update PID file location Message-ID: <202207111342.26BDgb8j097823@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by zi: URL: https://cgit.FreeBSD.org/ports/commit/?id=7b6aed9ac322d8a3820d8f0615eb623bb815f7ee commit 7b6aed9ac322d8a3820d8f0615eb623bb815f7ee Author: Ryan Steinmetz <zi@FreeBSD.org> AuthorDate: 2022-07-11 13:41:15 +0000 Commit: Ryan Steinmetz <zi@FreeBSD.org> CommitDate: 2022-07-11 13:41:15 +0000 security/stunnel: Drop privs by default, update PID file location - Document changes in UPDATING PR: 249151 Reported by: Tatsuki Makino <tatsuki_makino@hotmail.com> --- UPDATING | 13 +++++++++++++ security/stunnel/Makefile | 9 +++++++-- security/stunnel/files/daemon.conf.in | 3 +++ security/stunnel/files/pid.conf | 1 - security/stunnel/files/stunnel.in | 18 ++++++++++++++++-- security/stunnel/pkg-plist | 2 +- 6 files changed, 40 insertions(+), 6 deletions(-) diff --git a/UPDATING b/UPDATING index 9e1dc3faf14d..6d76e6add9b7 100644 --- a/UPDATING +++ b/UPDATING @@ -5,6 +5,19 @@ they are unavoidable. You should get into the habit of checking this file for changes each time you update your ports collection, before attempting any port upgrades. +20220711: + AFFECTS: users of security/stunnel + AUTHOR: zi@FreeBSD.org + + The stunnel port has been updated to drop privileges to the stunnel + user by default. + + As a result of this change, the pid file location has changed. If + you have a running copy of stunnel, you should stop the process + before performing the upgrade. Alternatively, you will need to + # pkill stunnel;service stunnel start + after the upgrade has been completed. + 20220628: AFFECTS: users of Erlang and Elixir AUTHOR: dch@FreeBSD.org diff --git a/security/stunnel/Makefile b/security/stunnel/Makefile index 6db2dad118db..ea08a6fc6780 100644 --- a/security/stunnel/Makefile +++ b/security/stunnel/Makefile @@ -16,7 +16,7 @@ LICENSE= GPLv2 GPLv3 LICENSE_COMB= dual BROKEN_SSL= libressl libressl-devel -BROKEN_SSL_REASON= Missing upstream support +BROKEN_SSL_REASON= missing upstream support USES= cpe libtool perl5 shebangfix ssl USE_PERL5= build @@ -27,6 +27,10 @@ GNU_CONFIGURE= yes CONFIGURE_ARGS= --localstatedir=/var/tmp --enable-static --disable-systemd \ --with-ssl="${OPENSSLBASE}" SHEBANG_FILES= src/stunnel3.in +SUB_FILES= daemon.conf +SUB_LIST= STUNNEL_PIDFILE=${STUNNEL_PIDFILE} \ + STUNNEL_USER=${STUNNEL_USER} \ + STUNNEL_GROUP=${STUNNEL_GROUP} OPTIONS_DEFINE= DOCS EXAMPLES FIPS IPV6 LIBWRAP OPTIONS_SINGLE= THREAD @@ -42,6 +46,7 @@ FORK_DESC= Use the fork(3) threading model PTHREAD_DESC= Use the pthread(3) threading model UCONTEXT_DESC= Use the ucontext(3) threading model +STUNNEL_PIDFILE=/var/run/stunnel/stunnel.pid STUNNEL_USER?= stunnel STUNNEL_GROUP?= stunnel @@ -101,7 +106,7 @@ post-build: post-install: ${MKDIR} ${STAGEDIR}${ETCDIR}/conf.d/ - ${INSTALL_DATA} ${FILESDIR}/pid.conf ${STAGEDIR}${ETCDIR}/conf.d/00-pid.conf + ${INSTALL_DATA} ${WRKDIR}/daemon.conf ${STAGEDIR}${ETCDIR}/conf.d/00-daemon.conf cert: @${ECHO} "" diff --git a/security/stunnel/files/daemon.conf.in b/security/stunnel/files/daemon.conf.in new file mode 100644 index 000000000000..af40302a0927 --- /dev/null +++ b/security/stunnel/files/daemon.conf.in @@ -0,0 +1,3 @@ +pid = %%STUNNEL_PIDFILE%% +setuid = %%STUNNEL_USER%% +setgid = %%STUNNEL_GROUP%% diff --git a/security/stunnel/files/pid.conf b/security/stunnel/files/pid.conf deleted file mode 100644 index f2b23cc181bb..000000000000 --- a/security/stunnel/files/pid.conf +++ /dev/null @@ -1 +0,0 @@ -pid = /var/run/stunnel.pid diff --git a/security/stunnel/files/stunnel.in b/security/stunnel/files/stunnel.in index a36dd7eb01ed..0d90942e1827 100644 --- a/security/stunnel/files/stunnel.in +++ b/security/stunnel/files/stunnel.in @@ -13,9 +13,11 @@ # Set it to the full path to the config file # that stunnel will use during the automated # start-up. -# stunnel_pidfile (str): Default "%%PREFIX%%/var/stunnel/stunnel.pid" +# stunnel_pidfile (str): Default "%%STUNNEL_PIDFILE%%" # Set it to the value of 'pid' in # the stunnel.conf file. +# stunnel_uid (str): Default "%%STUNNEL_USER%%" +# stunnel_gid (str): Default "%%STUNNEL_GROUP%%" # . /etc/rc.subr @@ -27,7 +29,9 @@ load_rc_config $name : ${stunnel_enable="NO"} : ${stunnel_config="%%ETCDIR%%/${name}.conf"} -: ${stunnel_pidfile="/var/run/${name}.pid"} +: ${stunnel_pidfile="%%STUNNEL_PIDFILE%%"} +: ${stunnel_uid="%%STUNNEL_USER%%"} +: ${stunnel_gid="%%STUNNEL_GROUP%%"} command="%%PREFIX%%/bin/stunnel" command_args=${stunnel_config} @@ -35,4 +39,14 @@ pidfile=${stunnel_pidfile} required_files="${stunnel_config}" +start_precmd=stunnel_start_precmd + +stunnel_start_precmd () { + local piddir + piddir=`/usr/bin/dirname "${pidfile}"` + if [ ! -d "${piddir}" ] ; then + /usr/bin/install -d -o "${stunnel_uid}" -g "${stunnel_gid}" "${piddir}" + fi +} + run_rc_command "$1" diff --git a/security/stunnel/pkg-plist b/security/stunnel/pkg-plist index f886b2582c5a..2e74830fd335 100644 --- a/security/stunnel/pkg-plist +++ b/security/stunnel/pkg-plist @@ -1,7 +1,7 @@ bin/stunnel bin/stunnel3 %%ETCDIR%%/stunnel.conf-sample -%%ETCDIR%%/conf.d/00-pid.conf +%%ETCDIR%%/conf.d/00-daemon.conf lib/stunnel/libstunnel.a lib/stunnel/libstunnel.so man/man8/stunnel.8.gz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202207111342.26BDgb8j097823>